Getting started

Core concepts

Provenance is a small set of ideas borrowed from the open C2PA standard, plus two of our own: the transparency log and explicit AI disclosure. Understand these six and the rest of the docs follows.

Manifest & claim

A manifest is the bundle of provenance information attached to an asset. At its heart is a claim, a set of statements about the asset that the signer cryptographically commits to: who produced it, with what tool, when, the edit history, and a binding to the asset’s bytes. The signer wraps the claim in a digital signature. Verifying checks that signature and the binding.

A signature scopes origin + integrity

A valid signature proves the claim came from the holder of a particular key and that the asset matches what was signed. It does not make the claim’s contents true. A signer can sign a false statement. That is why trust (below) is a separate decision.

Assertions & the C2PA action vocabulary

A claim is built from assertions (individual, labelled statements). The most important is c2pa.actions, the ordered edit history. C2PA defines a controlled vocabulary of actions so “cropped” means the same thing across every tool. Signata recognises and emits this standard set:

c2pa.createdc2pa.openedc2pa.placedc2pa.editedc2pa.color_adjustmentsc2pa.croppedc2pa.resizedc2pa.filteredc2pa.drawingc2pa.convertedc2pa.published

Other assertions carry EXIF (stds.exif), authorship (stds.schema-org.CreativeWork), training/mining preferences (c2pa.training-mining), and the hard binding itself (c2pa.hash.data).

Bindings: hard and soft

A binding is what ties a manifest to a specific asset. There are two, and they fail in opposite, complementary ways.

Hard binding

A sha256 hash taken over the asset’s bytes with the manifest region excluded, recorded inside the signed claim. To verify, recompute it from the bytes you received and compare.

Any re-encode, crop, resize, or metadata strip changes those bytes, so the recomputed hash no longer matches. That mismatch is tamper detection. It yields the tampered verdict.

Soft binding

Because metadata is easily stripped in transit, a hard binding alone can leave a legitimate asset looking like it has no_provenance. The soft binding recovers provenance by looking the asset’s content hash up in the transparency log.

It is best-effort: it works for assets Signata issued, and only while the bytes still hash to the same value. See the transparency log.

The honest asymmetry

Hard binding can never produce a false verified from edited bytes. A changed byte changes the hash. Soft binding can only ever recover a credential, never invent one. Both are designed so the failure mode is “we couldn’t confirm,” not “we wrongly confirmed.”

Trust list

A valid signature tells you which key signed. Whether you trust that key is a policy choice: yours. That distinction is the entire difference between two verdicts:

verified: the signature and binding are valid and the signer is in your trust list.

provenance_present_untrusted: the signature and binding are equally valid, but the signer is not (yet) trusted. Same cryptography, different policy.

The strong path is a key thumbprint match: trust is bound to a specific public-key thumbprint, not a display name, so a signer cannot impersonate a trusted one by copying its name. Signata ships known issuers (Adobe, OpenAI, supported cameras) as reference data, but adding them to your trust list is always an explicit choice, never an automatic grant.

AI disclosure

AI involvement is disclosed, not detected. It is read from two places in the manifest and is orthogonal to the verdict:

The IPTC DigitalSourceType on an action, e.g. …/digitalsourcetype/trainedAlgorithmicMedia for fully generated media, or the composite variant for AI-assisted edits.

Signata’s explicit com.signata.ai-disclosure assertion: a machine-readable generated/edited flag we emit when you sign.

Because disclosure is orthogonal, a verified asset can also be openly AI-generated. That is a feature: Signata helps creators disclose AI honestly, with a verified credential, rather than pretending to detect it after the fact. Absence of an AI disclosure means “not disclosed,” not “confirmed human.”